3 Introduction ISACA s 2012 IT Risk/Reward Barometer (HK/China) IT professionals remain wary of public clouds. The benefit outweighs the risk., 16% The risk outweighs the benefit., 17% The risk outweighs the benefit., 70% The benefit outweighs the risk., 63% 70% believe that the risk of using public clouds outweighs the benefit. The risk and benefit are appropriately balanced., 14% The risk and benefit are appropriately balanced., 21% 63% believe that the benefit of using private clouds outweighs the risk. 2

5 Security Challenges Basic Issues Basically security risks associated with cloud are not really new risks. Cloud computing may change some aspects of those risks, but the risks themselves are not new. There are more or less secure cloud environments, just as there are more or less secure local data centers. All the potential risks and security challenges may diminish the intention of cloud adoption by potential users. Adoption of cloud computing is not risk-free. Organizations need to fully understand the risks associated with cloud computing and adopt a risk-based approach to incorporate a cloud computing strategy in their IT plans. 4

8 Other Security Challenges (1) Identity and Access Management Requires secure and timely management of provisioning and de-provisioning of users in the cloud Authorization will continue to be the weakest point for cloud data stores (Georgia Institute of Technology) Portability and Interoperability Needs to reduce the risk of vendor lock-in and inadequate data portability Service providers may suddenly go out of business or discontinue one or more of the cloud services 7

9 Other Security Challenges (2) Service Availability, Business Continuity and Disaster Recovery Occasional outage of cloud services Internet service loss may interrupt cloud services Incident Response, Notification and Remediation Complexity of security incidents in a cloud environment Efficiency of notification and remediation 8

10 Risk Mitigation Strategy for Adopting Cloud Computing Planning Strategy Initial Risk Assessment Is there a business need? What are the benefits? What part of the business is suitable to be put onto the cloud? Are there any impediments to outsourcing? What types of workloads are being deployed on public and private clouds? What challenges and threats are relevant? What is the impact if data is lost or service is unavailable? Can the benefit outweighs the risk? Major Affecting Factors Sensitivity of data to be stored or processed How the chosen service provider has implemented their cloud services and corresponding security measures When to Conduct Risk Assessment Before adopting, periodically after using, and after major changes 9

11 Risk Mitigation Strategy for Adopting Cloud Computing - before start using Selection of a Cloud Service Provider Terms of Service and Security & Privacy Policy, and Note : how your company can use the cloud service; how your data is stored and protected; whether the service provider has access to your data, and if so, how that access is restricted; how to report an incident; how to terminate the service and if data is retained after service termination; whether the Privacy Policy follows the data protection principles of the Personal Data (Privacy) Ordinance Negotiate the Terms of Service with the service provider if not all the terms are found acceptable. If you cannot find a service provider meeting your requirements, you should re-consider the use of cloud services. Understand whether there are secondary uses of your account information without your knowledge or consent. 10

13 Risk Mitigation Strategy for Adopting Cloud Computing - before start using Data Ownership Check whether the service provider reserves rights to use, disclose, or make public your information. Check whether the intellectual property rights of data you own remain intact. Check whether the service provider retains rights to your information even if you remove your data from the cloud. Understand whether you can move or transfer your data and the service to another provider when you want to, and whether export utilities are available and are easy to use. Check whether data can be permanently erased from the cloud, including any backup storage, when you delete this data or when you end the service. 12

14 Risk Mitigation Strategy for Adopting Cloud Computing - before start using Additional Selection Considerations Select a service provider that can explain clearly what security features are available, preferably supported by an independent information security management certification (e.g. ISO/IEC 27001). Select a service provider with no major security incident reported, or one that can provide transparency to previous security incidents with cause and remediation explained. Select a service provider that ensures data confidentiality by using encryption to transmit data and to protect stored static data. (If not, you have to use your own encryption before storing data in the cloud. In that case remember to keep your encryption key safe.) 13

15 Risk Mitigation Strategy for Adopting Cloud Computing - before start using Key Management in the Cloud Encryption key at service provider's side 1. a single master key for all users managed by the cloud provider 2. per-user key managed by the cloud provider 3. per-user key managed by the user Encryption key at user's side 1. key stored on individual user s device 2. installing a key management server in user s datacenter Encryption key at third party 1. encryption-as-a-service use another SaaS solution to manage your keys away from your cloud provider of choice 14

16 Risk Mitigation Strategy for Adopting Cloud Computing - when using Identification and Authentication Use a strong authentication method, such as two-factor authentication, if available from the cloud service. Use strong passwords for each account. Use different passwords for different accounts. Use different accounts for different staff. Change passwords periodically. Delete access accounts or change passwords immediately when there are staff changes. 15

17 Risk Mitigation Strategy for Adopting Cloud Computing - when using Data Protection Understand and keep a record of what type of data is stored in the cloud. Avoid sharing out data to unintended parties by - ensuring only the intended recipients have the access permissions if you share sensitive data with others through the cloud; defining proper default permissions of files or folders; understand the location (and thus the jurisdiction) of your data including resilient copies 16

18 Risk Mitigation Strategy for Adopting Cloud Computing - when using Cloud Administration Establish a simple access account policy for using the cloud service. Establish simple usage policies for your staff. Appoint suitable staff (who has a basic understanding of the characteristics of cloud services) as the cloud service administrator. Conduct regular reviews of access rights on staff having access to cloud data. Provide basic security awareness training for staff using the cloud service. 17

19 Risk Mitigation Strategy for Adopting Cloud Computing - when using Service Continuity Obtain service support contact information from the service provider; especially keep a list of telephone numbers for reporting computer security incidents. Evaluate the potential damage to the company when the service is unavailable, data is lost or when data is accessed in an unauthorized manner. Develop a business continuity plan and work out alternatives when the cloud service or data is not available. Prepare an exit strategy and ensure termination procedures permit the transfer of data back to the company. Maintain a local backup copy of your important data so that this data can still be available when the service provider is out of service temporarily (e.g. network outage) or permanently. 18

20 Policy & Guidelines for Cloud Computing Security Policy - written in broad and generic terms and provides high level description on security requirements. Security Guidelines - operational guides that details how security controls should be implemented and managed. Creating a new security policy for cloud may not be necessary, but instead extend existing security policies to accommodate this additional platform. ISO (being drafted) - expected to be a guideline or code of practice recommending relevant information security controls for cloud computing. ISO will recommend, in addition to the information security controls recommended in ISO 27002, cloud-specific security controls. 19

23 Government Cloud Computing Strategy A step by step approach in order to take full advantage of this new IT model while at the same time minimise the associated risks. HKSARG 22

24 Promotion of Adopting Cloud Computing Expert Group on Cloud Computing Services and Standards To collaborate with the academia, industry and professional bodies To promote, develop and adopt best practices and common services for the SMEs Three working groups were established under the Expert Group including : - Working Group on Cloud Computing Interoperability Standards (WGCCIS), - Working Group on Cloud Security and Privacy (WGCSP); and - Working Group on Provision and Use of Cloud Services (WGPUCS). 23

27 Conclusion Users or potential users of cloud services must understand the benefits and risks involved so that they can be better prepared to mitigate or control them. Potential cloud computing users should take into considerations the security challenges so that potential risks are accounted for before adopting the technology. Appropriate measures and controls should be deployed commensurable with the assessed risk level and data sensitivity. Organizations need to know what needs to be considered when selecting a cloud service provider, as well as what needs to be considered when using cloud services. 26

Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

Sample Questions EXIN Cloud Computing Foundation Edition April 2013 Copyright 2013 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored in a data processing

Protecting Official Records as Evidence in the Cloud Environment Anne Thurston Introduction In a cloud computing environment, government records are held in virtual storage. A service provider looks after

TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director

Information Security Seminar 2013 Mr. Victor Lam, JP Deputy Government Chief Information Officer Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com

Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

Protecting Data and Privacy in the Cloud Contents 1 3 6 9 12 13 Protecting Data and Privacy in the Cloud an Introduction Building Services to Protect Data Protecting Data in Service Operations Empowering

Making Sense of Cloud Computing in the Public Sector By EVA OlSAKER Every other article or news clip about government Platform as a Service. PaaS allows customers to use hardware, operating systems, storage,

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

royal holloway s, How a Cloud Service Provider Can Offer Adequate Security to its Customers What security assurances can cloud service providers give their customers? This article examines whether current

Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening

3 NREN and its Users The NREN s core activities are in providing network and associated services to its user community that usually comprises: Higher education institutions and possibly other levels of

SRG Security Services Technology Report Cloud Computing and Drop Box April 2013 1 Cloud Computing In the Industry Introduction to Cloud Computing The term cloud computing is simply the use of computing

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations Topics What is SaaS? How does SaaS differ from managed hosting? Advantages of SaaS

White Paper HIPAA Compliance for the Wireless LAN JUNE 2015 This publication describes the implications of HIPAA (the Health Insurance Portability and Accountability Act of 1996) on a wireless LAN solution,